problem with caplen<total len

["Russ Fink" <russfink () hotmail com>]

Hello,

I tried to ask this before, but don't believe I was subscribed - sorry if 
you're seeing it a second time.

I noticed if you use the "-s" option with the "-w" option in tcpdump, this 
causes a pure truncate of packets which are then stored into the pcap file.  
Some of the bigger packets are not valid packets in this case, because the 
IP total length field represents a larger size than was actually captured.  
For instance, if I have packets that are 1500 bytes, but I set -s 1000, then 
tcpdump captures 1000 bytes of the packet but the IP total length still says 
1500.  Additionally, the checksums are not recomputed for the smaller, 
truncated packet.

Earlier, I thought this was a bug, but the more I think about it, it's 
really not.  A chop is a chop.  The original header data should not be 
changed just because I'm collecting the packets differently.

My question now is, is there any utility you know of that can fix "broken" 
pcap files - specifically, update the ip header length = caplen, and 
recompute the various checksums?

Thanks,
Russ

_________________________________________________________________
Get 10MB of e-mail storage! Sign up for Hotmail Extra Storage.  
http://join.msn.com/?PAGE=features/es

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe